CVE-2025-70296

Published: Feb 11, 2026Modified: Feb 23, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.

Affected (1)

Products: Mealie: Mealie

Mealie

1 product

Mealie

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mealie Mealie	From 3.3.1 to 3.8.0

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (3)

https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-70296/CVE-2025-70296.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/mealie-recipes/mealie/issues/6690

Source: cve@mitre.org

Issue Tracking

https://github.com/mealie-recipes/mealie/pull/6743

Source: cve@mitre.org

Issue Tracking

Timeline

No history available yet.